Ozment: Cybersecurity can't be centralized

DHS' Andy Ozment said "every aspect of government has to be dealing with cybersecurity.

There are few federal officials more central to cybersecurity than Andy Ozment, the Department of Homeland Security's assistant secretary for cybersecurity and communications. Yet Ozment is adamant that cybersecurity responsibilities cannot be consolidated at his agency or any other.

Greater centralization is certainly on the table. DHS is seeking to elevate its National Protection and Programs Directorate (which includes Ozment's office) into a full-blown Cybersecurity and Infrastructure Protection Agency. And Sen. Sheldon Whitehouse (D-R.I.) has called for a governmentwide inspector general for cyber issues.

A true one-stop shop for all things cyber -- something proposed by former GOP presidential hopeful Ben Carson -- is not being seriously considered, but at the Commission on Enhancing National Cybersecurity's final field meeting on Sept. 19, Commerce Secretary Penny Pritzker seemed to think the fundamental idea was serious enough to warrant an explicit pushback.

Ozment, who spoke Sept. 19 at the National Press Club, echoed Pritzker's concerns.

"A lot of people will say, 'Well, I want one cybersecurity agency,'" he said during a panel discussion hosted by the nonprofit organization Center Forward. "The truth is, cyberspace and thus cybersecurity are touching every aspect of American lives."

That means agencies ranging from the Transportation Department to the Food and Drug Administration must play a part, Ozment said -- not just DHS, the military and the intelligence community.

"Every aspect of government has to be dealing with cybersecurity," he said. "There's no way to say this one agency [is] in charge."

Ozment conceded that "there's been a lot of confusion within the government about who does what over the last decade," but he contended that real progress has been made.

"We've laid out the lanes in the road," he said. "I think we've reached a good point where we've laid out those goals and responsibilities, [and] I would urge the next administration not to re-litigate them because we'd waste enormous amounts of time trying to decide who does what."

Microsoft's Chris Krebs, who also participated in the panel discussion, agreed that the next president's staff will find "there's been a whole lot of work done in the last 18 months."

Krebs, a former DHS policy adviser who is now Microsoft's director of cybersecurity policy, said the challenge lies in helping the new policymakers digest and understand all those efforts. And there is an opportunity in fresh eyes and ideas, he said.

"What are we going to do with the federal [chief information security officer] position, for example?" Krebs asked. "We can keep it, we can elevate it, we can move it.... It's tactical questions like that they're going to deal with."

For those beginning to plan for the transition, he offered a reminder: "We all need to be cognizant of the fact that new administrations do what new administrations do. And they change stuff that the last administration did, regardless of the party."

About the Author

Troy K. Schneider is editor-in-chief of FCW and GCN.

Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of, Schneider also helped launch the political site in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times,, Slate, Politico, National Journal, Governing, and many of the other titles listed above.

Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.

Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Wed, Sep 28, 2016 Dan Walsh

I believe Pritzker's and Ozment's thinking on this topic, similar to Ben Carson is incomplete. The idea is not centralization versus decentralization; we need both. The best analogy I can suggest is the Federal Aviation Administration air traffic control oversight. It is centrally administered by decentrally deployed and implemented. What the Government and the security vendor industry has been doing for too long, is requiring each organization to manage its own security. This has proven impossible to achieve for a number of reasons and would be akin to asking each airline to oversee its air traffic, rather than a centralized authority to centrally administer via a distributed management system.

Tue, Sep 27, 2016 Sean

We already have a wealth of cybersecurity "how to's" in the NIST cyber security framework and the 800 series, not to mention all that the Center for Internet Security (CIS) has to offer. If everyone just implemented what they've been mandated to do, it is likely we wouldn't be having this conversation.

Wed, Sep 21, 2016 Jon Stitzel

I agree that having one government agency responsible for the implementation and management of all cybersecurity controls is a non-starter. It would never work. However, I think there should be one agency to create and govern a Federal Government-level holistic cybersecurity program, and with the recognized authority to hold all other Federal agencies accountable for meeting their cybersecurity responsibilities as outlined in that program. Allowing each agency to set its own rules and cybersecurity stance is inviting vulnerabilities and gaps in the system.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group